My first RSA Conference was certainly an adventure. I needed both hands to count how many times a speaker used ChatGPT to write a section of their presentation! However, I didn't need any AI help to have a packed room for my “Architecting Security for Regulated Workloads in Hybrid Cloud” session. Architecting security appears to have been a popular topic for the conference, as an enterprise architecture session on the final day was also well attended.
With the updated release of the IBM Cloud for Financial Services, IBM has been working on an enterprise development lifecycle for hybrid cloud workloads, including secure-by-design practises, reference architectures, deployment architecture automation, and continuous compliance. As I discuss the challenges that we all face with standard architectural practises, I will provide examples of how best practises are being applied today.
The magic of architectural thinking for security
During my presentation, I proposed that as an industry, we have design thinking to gather user requirements, then some ad hoc "magic" happens to create an architecture, followed by engineering practises, including threat modelling, to deliver system security. There are no widely used architectural thinking practises for designing security into complex IT systems.
This is a significant problem for regulated industries like financial services, where each organisation requires different types of documentation to be delivered to demonstrate effective architectural thinking has been completed. As the transition to hybrid multi-cloud occurs, architectural documentation is likely to become more divergent as new techniques for dealing with complexity are developed.
Architecture and engineering
Before we get further into a discussion of architecture and engineering, let’s be clear about terminology. Maier and Rechtin, in their book The Art of Systems Architecting 3rd Edition, suggested that engineering analysis alone is not sufficient to create and build complex systems. They suggest:
“Architecting seeks to communicate across the gap from the user/sponsor/client to the engineer/developer, and architecting is complete (at least its initial phase) when a system is well-enough defined to engage developers.” and “Engineering aims for technical optimization, architecting for client satisfaction. Engineering is more of a science, and architecting is more of an art.”
Grady Booch, an IBM Fellow, further explained architecture and the impact of design decisions on Twitter:
It’s clear from thought leaders in architecture and engineering that architectural thinking is an important step in developing a complex system.
A method for architecting security into IT systems
During my session, I took the audience through the “Architectural Thinking for Security” method developed within IBM, that is taught to IBMers globally and for two cybersecurity MSc degree modules in the UK. The techniques and artifacts are appropriate for both waterfall and agile delivery methods, with multiple approaches to traceability for demonstrating compliance in a regulated industry.
IBM has used these techniques in the IBM Cloud Framework for Financial Services by developing a controls catalog based on selected NIST SP800-53 controls and additional controls identified through industry collaboration. Control requirements for the framework are traced through the reference architecture and checked for continuous compliance with the IBM Cloud Security and Compliance Center.
I try not to use the term "security architecture" because there is either an architecture that describes a security capability or an architecture that includes elements of security. Security should not be separated from the overall architecture of an IT system, but rather integrated.
A standard for architectural thinking
Later, I hosted a Birds of a Feather session on "Architectural Thinking for Security and Compliance," which drew twice as many people as there were available seats. What I discovered was that everyone came to learn what everyone else was doing because they would like a standardised approach to security. The analogy of civil architecture and engineering was suggested as an area with standardised techniques and tooling. For example, if I built a tower block, the architect would have an overall architecture that would be made up of repeatable architectural patterns described using industry standard practices.
Architectural patterns (or reference architectures) were suggested by an attendee as an important part of architectural thinking to accelerate the development of security in architectural thinking. IBM has developed IBM Cloud for Financial Services reference architectures with deployable architecture automation to bring consistency to delivery of controls. However, each cloud service provider has its own architecture diagram format with different semantics for each component, making it difficult to have a standard architectural pattern.
There are methods and techniques available, but they are limited by the barrier of expensive classes to attend, and even then, the courses were not adapted to the complexity of hybrid multi-cloud at scale. We discussed the need for an open architectural thinking method with techniques and artefacts that bring consistency and rigour to the way security is designed for systems.
Secure-by-design and secure-by-default
The need for standard engineering practises was raised in further sessions, including “The New Ground Truth for Security,” where Alicia Lynch suggested there is a need for a secure development lifecycle. It’s something IBM has been practising for many years with our own Security and Privacy by Design program, aligned with United States National Institute of Standards and Technology (NIST’s) Secure Software Development Framework (SSDF), which drive processes that are required across all business units.
A later session, “Cyber Informed Engineering: Getting Engineers to Live Security-by-Design” on the National Cyber-Informed Engineering (CIE) Strategy endorsed the need for improved cybersecurity practises in engineering, with secure-by-design and secure-by-default practises also being supported through the CISA Secure-by-Design initiative.
Clarity of Understanding
From all speakers, there was a need for improved understanding of the roles played by “architecture” and “engineering.” A complex system is made of many components that are engineered by different suppliers and integrated together into a system. In addition to dealing with the individual components of engineering, there is a need to ensure the organisations that provide systems integration embed security into the architecture they develop and the requirements they give to suppliers.
Open Architecture Thinking
I asked the Birds of a Feather session who should be responsible for developing open security practises for architectural thinking. Design Thinking and Security Engineering practises came from industry and are widely available; should the cybersecurity industry step up to create open architectural thinking practises?
There was interest at the conference from another leading technology supplier in collaborating to develop a more open set of practises for architectural thinking for security. Would financial service organisations like to be engaged to create open standards? What do you think? I would like to hear your thoughts. Please leave a comment below and let's discuss.
#architecture-and-solutions
#financial-services